How the CIO, CISO and CSO roles are changing

This article was originally published on Technology.Info.As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

became the first CISO back in 1995 the security industry specifically, and business leadership in general, have been thinking and rethinking the need for such a person and the responsibilities that they should have.

Citigroup became the first commercial company to recognize the need for the brand new corporate CISO role when they responded to a highly publicized Russian malware incident. As cyber threats continued to grow in terms of real risk to the business and in the minds of the general public, business leaders recognized the need to dedicate resources to manage that risk.

The first practitioners came out of the technical ranks; the IT shops. Vendor solutions to mitigate the cyber threat ran on networks and workstations. In order to manage those solutions, it was helpful to have people who understood that world. But this was a new thing for the techies; trying to translate technical risk to a business leader did not always go very well. It became convenient to tuck these kinds of people underneath the CIO organization.

CISOs began working for the CIO because, from the C-Suite perspective, all of that technical stuff belonged in one basket. As business leaders began applying resources to mitigate cyber risk, other areas of security risk started to emerge: physical security, compliance, Fraud prevention, business continuity, safety, ethics, privacy, brand protection, etc.

The Chief Security Officer (CSO) role began to get popular with business leaders because they needed somebody to look at the entire business; not just cyber security risk to the business but general security risk to the business. CSO Magazine launched in 2002 to cater to that crowd. Since then, the industry has been in flux. Not every company organizes the same way. While the Chief Information Officer (CIO) has made its way to the executive suite in some companies (Intel Corp and McAfee to name two), that is by no means the norm.

2. Will the CISO (Chief Information Security Officer) becoming a distinct role? Will it become more or less common and why? What does this role now encompass?

The CISO role has emerged in the last five years as the defacto role to manage cyber security. If there isn’t somebody in the organization with the title of CISO, there is somebody in charge of IT Security. This person generally works for the CIO but not in all cases.

From speaking with many CISOs, CSOs, and CIOs, it seems the community has decided that the IT groups handle the day-to-day IT operations while the security groups have much more of an oversight role:

, Incident Response, Policy, etc. This means that the IT groups keep the firewalls up and running while the security groups are monitoring the logs and advising the CIO on security architecture and policy. Let me just say that I don’t think this is the right model either.

In this modern world, I do not believe that security should be subservient to operations in all cases. Yes, the company has to keep its servers operational, but that does not imply that if push comes to shove, security is the first thing that we turn off in order to maintain operations. For companies that understand risk to the business, security and operations are peers.

3. Is it right that physical and digital security should be merged under one organizational umbrella or should they be kept separate?

I understand why organizations have these two separate security groups. Before the Internet days, we did not have a CISO function. We did have a physical security function though but it was usually relegated to the bottom of the leadership chain.

You needed guards and fences and things like that, but those kinds of operations were more like commodity items; like power to the building or trash pickup. You needed them but once you established them, they did not materially affect the business even if they failed for a day or two. Because of this, Physical Security tended to fall under the Facilitates Management groups.

though, the situation has changed. Everything is interconnected. Just like every other organization in the business, the physical security groups have a lot of IT Security components (Badges, surveillance cameras, etc). These groups and their electronic tools could still operate by themselves, but it makes sense that business leadership tasks somebody in the company to make sure that these tools are compatible with the approved security architecture plan.

In my mind, that is the CSO organization. Just like the idea that there is no such thing as cyber risk to the business, only risk to the business, I don’t think there is a need for separate cyber security and physical security teams. It is all security. Just for ease of management, it makes sense to keep it all under one umbrella. My perfect organization would have a CSO in charge of all security of the company. The CISO would work for him with a dotted line to the CIO. The Physical Security Director would also work for the CSO but would have a close working relationship with the CISO.

4. What skills and qualities should companies be looking for in a CSO going forward? Is the next generation about to enter the workforce going to be equipped for the role? Is the skill set broadening or narrowing?

I still believe the CSO should come up from the technical ranks. Today’s world is so complicated technically that if you do not have that background, you will be completely overrun by the latest security trend. The CSO skill that has to be learned though is how to translate that technical knowledge into something that a business leader will understand or care about.